The International Organization for Standardization (ISO) and the International Electrotechnical Commission (IEC) develop and publish international standards. These standards are published as ISO/IEC numbered designations. It’s common to see these standards abbreviated as ISO. For example, the ISO/IEC 27002 standard is often shortened to ISO 27002.

ISO/IEC 27002 is titled “Information Technology—Security Techniques—Code of Practice for Information Security Controls.” This is a popular industry standard for establishing and managing an IT security program. ISO/IEC 27002 outlines 15 main areas that compose the framework:

1. Foreword—Describes the overall purpose and key references for the document. This includes the following key areas:
   • Scope
   • Terms of reference
   • Structure of the document
2. Information security policy—Describes how management should define an information security policy. Organizations usually maintain detailed security policies in a library. Information security standards, procedures, and guidelines support the library.
3. Organization of information security—Describes how to design and implement an information security governance structure. This section describes the need for an internal group that manages the program, including the governance of business partners.
4. Human resources security—Describes security aspects for employees joining, moving within, or leaving an organization. The organization should manage system access rights. The organization should also provide security awareness, training, and education. Section 4 covers these employment phases:
   • Prior to employment
   • During employment
   • Termination or change of employment
5. Asset management—Describes inventory and classification of information assets. The organization should understand what information assets it holds, and manage their security appropriately. This section covers responsibility for assets and information classification.
6. Access control—Describes restriction of access rights to networks, systems, applications, functions, and data. This section addresses controlled logical access to IT systems, networks, and data to prevent unauthorized use. The following topics are covered:
   • Business requirements for a control
   • User access management
   • User responsibilities
   • Network access control
   • Operating system access control
   • Application and information access control
   • Mobile computing and remote employee access
7. Cryptography—Describes the use and controls related to encryption. This includes the following key control areas:
   • Cryptographic authentication
   • Cryptographic key management
   • Digital signatures
   • Message authentication
8. Physical and environmental security—Describes protection of computer facilities. Valuable IT equipment should be physically protected against malicious or accidental damage or loss, overheating, loss of main power, and so on. This section covers:
   • Secure areas
   • Equipment security
   • Critical IT equipment, such as cabling and power supplies
9. Operations security—Describes operational management of controls to ensure that capacity is adequate and performance is delivered. This section includes these key topics:
   • Operational procedures and responsibilities
   • Protection against malicious and mobile code
   • Backups
   • Logging and monitoring
   • Information systems audit coordination
10. Communications security—Describes securing the network and controlling access to information by third parties. This section includes these topics:
    • Third-party service delivery management
    • Network security management
11. Systems acquisition, development, and maintenance—Describes building security into applications. Information security must be taken into account in the systems development life cycle (SDLC) processes for specifying, building/acquiring, testing, implementing, and maintaining IT systems. These activities include the following:
    • Security requirements of information systems
    • Correct processing in application systems
    • Cryptographic controls
    • Security of system files
    • Security in development and support processes
    • Technical vulnerability management
12. Supplier relationships—Describes the policy and procedures needed to monitor suppliers’ information security controls. This includes but is not limited to:
    • How suppliers access company information
    • How suppliers access the company network
    • Monitoring access and activity of suppliers when they are on the organization’s network
    • Managing access rights when supplier personnel change roles
    • Auditing suppliers to service level agreements
13. Information security incident management—Describes anticipating and responding appropriately to information security breaches. Information security events, incidents, and weaknesses should be promptly reported and properly managed. This section of the standard covers:
    • Reporting information security events and weaknesses
    • Managing information security incidents and improvements
14. Information security aspects of business continuity management—Describes protecting, maintaining, and recovering business-critical processes and systems. This section describes the relationship among IT disaster recovery planning, business continuity management, and contingency planning, ranging from analysis and documentation through regular exercising/testing of the plans. Controls are designed to minimize the impact of security incidents that occur despite the preventive controls from elsewhere in the standard.
15. Compliance—Describes areas for compliance, which include:
    • Compliance with legal requirements
    • Compliance with security policies and standards, and technical compliance
    • Information systems audit considerations

ISO/IEC 27002 covers the three aspects of the information security management program: managerial, operational, and technical activities. All three must be present in any IT security program for comprehensive coverage. For more information about ISO/IEC 27002, visit http://www.iso27001security.com/html/27002.html.

ISO/IEC 30105, “Information Technology—IT Enabled Services-Business Process Outsourcing (ITES-BPO) Lifecycle Processes,” covers outsourced processes. Some processes are outsourced in every organization. There must be clear policies that govern the entire outsourcing process, including methods, procedures, and operations.

There are five parts to this standard:

• Part 1: Process reference model
• Part 2: Process assessment model
• Part 3: Measurement framework and organization maturity model
• Part 4: Terms and concepts
• Part 5: Guidelines

In relationship to frameworks, clearly Part 3 is of interest, but so is Part 5. This standard specifies all the steps in outsourcing, including planning, establishing, operating, monitoring, reviewing, maintaining, and improving services. Given the ubiquitous nature of outsourcing at least some business functionality, it is worthwhile to have at least a general understanding of this standard.

The ISO 27007 standard, “Information Technology—Security Techniques—Guidelines for Information Security Management Systems Auditing,” was first published in 2011 and was revised in 2017. When it was revised again in 2020 the name was changed to “Information Security, Cybersecurity, and Privacy Protection — Guidelines for Information Security Management Systems Auditing”. This standard governs compliance auditing for information technology. This may seem far removed from frameworks; however, it provides a basis for any framework. Looking at the security policy framework from the perspective of compliance with audit requirements can be an effective approach for many organizations.

NIST is an agency of the U.S. Department of Commerce. NIST develops information security standards and guidelines for implementing them. NIST SP 800-53, “Security and Privacy Controls for Federal Information Systems and Organizations,” is the primary standard for federal systems.

Organizations often rely on NIST publications for reference and to develop internal IT security management programs. NIST SP 800-53 uses a framework similar to ISO/IEC 27002; however, NIST SP 800-53 includes 18 areas that address managerial, operational, and technical controls. TABLE 6-1 summarizes NIST SP 800-53 rev. 4.

For more information about NIST SP 800-53, visit https://nvd.nist.gov/800-53

Version 4 of this standard was published in February 2012. The fifth version of this standard had a final draft release in March 2020 and is set for publication in late 2020. The basics of the standard are the same, but have been enhanced in the following ways:

• Making the security and privacy controls outcome-based
• Integrating privacy controls into the security control catalogue
• Deemphasizing the federal focus of the publication to encourage greater use by nonfederal organizations
• Promoting integration with different risk management and cybersecurity approaches
• Incorporating new, state-of-the-practice controls based on threat intelligence and empirical attack data

An issue-specific standard focuses on an area of current relevance and concern to your company. Be prepared for frequent revision of these standards because of changes in technology and other related factors. As new technologies develop, some issues diminish in importance while new ones continually appear. For example, it might be important to issue a standard on the proper use of a cutting-edge technology even if the security vulnerabilities are still unknown.

A useful structure for issue-specific or baseline standards is to break the document into basic components. The components are described in the following sections.

Statement of an Issue. This section defines a security issue and any relevant terms, distinctions, and conditions. For example, an organization might want an issue-specific policy on the use of Internet access. The standard would define which Internet activities you permit and those you don’t permit. You may need to include other conditions, such as prohibiting Internet access using a personal connection from an employee’s desktop PC.

Statement of the Organization’s Position. This section should clearly state an organization’s position on the issue at hand. To continue with the example of Internet access, the policy should state which types of sites are prohibited. Examples of these sites may be pornography, brokerage, and/or gambling sites. The policy should also state whether further guidelines are available, and whether case-by-case exceptions may be granted, by whom, and on what basis.

Statement of Applicability. This section should clearly state where, how, when, to whom, and to what a particular policy applies. For example, a policy on Internet access may apply only to the organization’s on-site resources and employees and not to contractors with offices at other locations.

Definition of Roles and Responsibilities. This section assigns roles and responsibilities. Continuing with the Internet example, if the policy permits private Internet service provider (ISP) accesses with the appropriate approvals, identify the approving authority in the document. The office or department(s) responsible for compliance should also be named.

Compliance. This section gives descriptions of the infractions that are unacceptable and states the corresponding penalties. Penalties must be consistent with your personnel policies and practices and need to be coordinated with appropriate management.

Points of Contact. This section lists the areas of the organization accountable for the policies’ implementation. These are typically the subject matter experts (SMEs). They interpret the policy. Often they are also in charge of ensuring the controls are in place to enforce the policy. This section may also identify other applicable standards or guidelines. For some issues, the point of contact might be a line manager. For other issues, it might be a facility manager, technical support person, systems administrator, or security program representative.

A system-specific standard, or baseline standard, is focused on the secure configuration of a specific system, device, operating system, or application. Many security policy decisions apply only at the system level.

Examples include:

• Who is allowed to read or modify data in the system?
• Under what conditions can data be read or modified?
• What firewall ports and protocols are permitted?
• Are users allowed to access the corporate network from home or while traveling?

Situations arise in which your organization cannot meet one or more standards immediately. You must recognize an exception to standards to determine where problems may exist.

Periodic reviews of these exceptions can also lead to improvements to the standards when many exceptions point to a general inability to meet compliance goals. Paying attention to exceptions is vital to ensuring that the policy framework remains relevant and current.

Exceptions are seldom approved “forever.” Typically, they are reexamined annually. This allows leadership to discuss whether they are willing to accept the risk for another year or fund the changes needed to ensure compliance with security policies. Exceptions often include a discussion of compensating controls and mitigating controls. Compensating controls mean that although you cannot meet the letter of the policies, you can still achieve their goals through other means. Mitigating controls mean that although you cannot meet all the policies’ goals, you can still achieve partial compliance. It’s important to understand when you are approving a security exception how much risk you are accepting.